Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
This is a critical vulnerability.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
See the Orpheus Lyre website
for more details.

Fix transit path validation. Commit f469fc6 (2010-10-02) inadvertently
caused the previous hop realm to not be added to the transit path
of issued tickets. This may, in some cases, enable bypass of capath
policy in Heimdal versions 1.5 through 7.2.
Note, this may break sites that rely on the bug. With the bug some
incomplete [capaths] worked, that should not have. These may now break
authentication in some cross-realm configurations.
(CVE-2017-6594)

hcrypto is now thread safe on all platforms and as
much as possible hcrypto now uses the operating system's
preferred crypto implementation ensuring that optimized
hardware assisted implementations of AES-NI are
used.

The DES3 GSS-API mechanism has been changed to
inter-operate with other GSSAPI implementations. See man
page for gssapi(3) how to turn on generation of correct
MIC messages. Next major release of heimdal will
generate correct MIC by default.